Case Study:  Security Vision and Strategy Development

Strategic Initiatives - Timing of Key Milestones


A web applications company needed to articulate its security vision and develop a security strategy for consideration by its executive leadership. The company had very little in place and historically had had no centralized security function. Bellwether was engaged to identify corporate priorities, develop a single, cohesive strategy and identify the resources necessary to implement it. The company wanted the gaps, program costs and associated benefits laid out to facilitate a data-based decision-making process.  


Bellwether reviewed security planning documents available and conducted structured interviews with key outside service providers, internal security staff, real estate representatives and IT Security personnel. Based on a preliminary threat profile, the major security gaps were identified and matched to appropriate risk mitigation programs. These programs were prioritized and core milestones defined and laid out on a 3-year timeline. The resources required for each initiative were then identified by year, phase and priority.

Analysis & Results

The analysis indicated that there were considerable gaps to fill and that the initial budgetary resources set aside would be inadequate to undertake the security strategy envisioned. The prioritization of initiatives allowed implementation of certain core programs to get underway while the lower priority initiatives could be deferred for a period of time so that their associated benefits to the corporation could be further evaluated and reconsidered. The documentation of alternatives and their rationale for inclusion was packaged into a short executive presentation focused on the key drivers and their outcomes.

Benefits to Client

Our client was able to present a well articulated security strategy, with detailed support, to its Executive Leadership team. The case for investment was accepted and the high-priority programs implemented. Many of the key gaps were filled and the company’s security posture considerably enhanced. Overall, the security posture of the company was placed as a higher priority for executive consideration than it had been prior to our engagement and the contribution provided by the security function more widely appreciated.